headers
Operator | 1 Jul 1997 09:00

Monthly reminder (IETF-PKIX list)

Welcome to the ietf-pkix mailing list!

If you ever want to remove yourself from this mailing list, 
send the following command in email to "listserv <at> tandem.com"
(NOT ietf-pkix <at> tandem.com):

    unsubscribe <your e-mail-id> ietf-pkix

Here's the general information for the list you've subscribed to, in
case you don't already have it:

Welcome to the ietf-pkix list. This list is intended to discuss
matters directly related to  develop Internet standards needed to
support an X.509-based public key infrastructure (PKI). The resulting
PKI is intended to provide a framework which will support a range of
trust/hierarchy environments and a range of usage environments.

If you have any questions about this interest group, you can contact 

                Warwick Ford at wford <at> verisign.com  
                             or 
                Jean Pawluk at pawluk_jean <at> tandem.com.

If you have any questions about this list service in general, you
can contact postmaster <at> tandem.com.
Permalink | Reply | 0 comments |
headers
Nada Kapidzic Cicovic | 1 Jul 1997 10:21
Picon

registering a new object identifier

I was wondering what would be the best way of registering a new
organisational object identifier (in order to be able to make object
identifiers for private extensions and certification policies)? 

It seems that IANA is doing that job for SNMP business. Are there any other
efficient ways for the registration? 

Any help is very appreciated.

Regards,

Nada
______________________________________________________________

Nada Kapidzic Cicovic
COST - Computer Security Technologies CST AB 
(subsidiary of Entegrity Solutions Corporation)
office:   + 46 (0)8 477 77 37
mobile:   + 46 (0)495 09 03
fax:      + 46 (0)8 477 77 31
e-mail:   nada <at> cost.se or nada <at> entegrity.com
address:  Finlandsgatan 60, 164 74 Kista, Sweden
Permalink | Reply | 2 comments |
headers
Housley, Russ | 1 Jul 1997 07:59

Re: PKIX Part 1 Certificate Policies extension


Dave:

I think you are correct.

Russ

______________________________ Reply Separator _________________________________
Subject: PKIX Part 1 Certificate Policies extension
Author:  dpkemp <at> missi.ncsc.mil (David P. Kemp) at internet
Date:    6/24/97 9:52 AM

Prodded by the release of the new Part 3, I've been working on examples 
for Part 1, and have a question about the syntax of the Certificate 
Policies extension.

The text of section 4.2.1.5 shows:

  PolicyQualifierId ::= ENUMERATED { id-pkix-cps, id-pkix-unotice }

where id-pkix-cps and id-pkix-unotice are OIDs.  I'm not sure this is 
legal syntax - isn't ENUMERATED required to have integer values, not OIDs? 
But the use of the pkix OIDs agrees with the text in X.509, which says:

   CERT-POLICY-QUALIFIER ::= CLASS {
        &id           OBJECT IDENTIFIER UNIQUE, 
        &Qualifier    OPTIONAL }

However, PKIX part 1 section 9 (the ASN.1 appendix) says:
(Continue reading)

Permalink | Reply | 1 comment |
headers
Anil R. Gangolli | 1 Jul 1997 18:09

Re: registering a new object identifier

In general, you have to find out from ISO; they may have delegated
the authority for your region or for the subtree in which you wish
to register.  Perhaps someone has the information for Sweden.

In the US, ISO has delegated the authority to ANSI for
numeric object identifier prefixes and Distinguished
Name registration.

Here is the last contact information I have for that.
Note this is a personal e-mail address rather than
a role address.

I am not sure if it is current; but it was ok as late as
last summer.  One may be able to find more recent information
at their web site http://www.ansi.org

     Tel: 212 642 4884
     Fax: 212 398 0023
     e-mail: ATTMAIL.COM!MMAAS
     X.400: C=US AD=ATTMAIL G=MICHELLE S=MAAS USER NAME=MMAAS

     Internet e-mail MMAAS <at> ansi.org
Permalink | Reply | 0 comments |
headers
Luis Valente | 1 Jul 1997 20:48

Re: registering a new object identifier

In the US you would do so by requesting an OID for your company from ANSI
(see http://cell-relay.indiana.edu/cell-relay/FAQ/nsap/fact.html for details).

I suspect that in the Sweden the Swedish National Standards Body (whatever
its name is) will also be the registration authority for OIDs.

/Luis

At 10:21 AM 7/1/97 +0200, Nada Kapidzic Cicovic wrote:
>I was wondering what would be the best way of registering a new
>organisational object identifier (in order to be able to make object
>identifiers for private extensions and certification policies)? 
>
>It seems that IANA is doing that job for SNMP business. Are there any other
>efficient ways for the registration? 
>
>Any help is very appreciated.
>
>
>Regards,
>
>Nada
>______________________________________________________________
>
>Nada Kapidzic Cicovic
>COST - Computer Security Technologies CST AB 
>(subsidiary of Entegrity Solutions Corporation)
>office:   + 46 (0)8 477 77 37
>mobile:   + 46 (0)495 09 03
>fax:      + 46 (0)8 477 77 31
(Continue reading)

Permalink | Reply | 0 comments |
headers
Bob Jueneman | 2 Jul 1997 19:12
Picon
Favicon

Re: RE: Safe Key Generation

Peter sent this to me off the list, but I would be very remiss if I did not
acknowledge the significant contribution that Entrust has made, even as a
Canadian company, in getting their product certified against the US FIPS
140-1 standard.

But unless I slept though something momentous, I never heard of a C2 version
of Windows  3.1 or Windows 95, for that matter.  Windows NT, yes, maybe, if
properly installed, although I don't believe Microsoft has received their
official NCSC certification yet (I may be wrong -- I know it is coming). 
And to the best of my knowledge, that certification goes out the Window (no
pun intended) as soon as you connect NT to a network.  And how many NT's do
you know of that are not connected to a network?

But my real point was, without some Truth in Advertising labeling of the
vcertificate or of each digital signature, how do you know?  And without
knowing, how can you really know how much credence to associate with any
particular digital signature?

Bob

>>> Peter Whittaker <pww <at> entrust.com> 07/02/97 05:21AM >>>
>At 10:08 AM -0700 7/1/97, Bob Jueneman wrote:
>>How many user key pairs do you know of that were generated on TCSEC-rated
A1
>>systems using FIPS 140-1 rated level 4 cryptographic implementations? 
None,
>>you say?  OK, how many key pairs do you know of that were at least
generated
>>on a C2 rated system, using a FIPS 140-1 level 1 rated crypto?  Again,
>>virtually none, you say?
(Continue reading)

Permalink | Reply | 501 comments |
headers
Matt Bishop | 2 Jul 1997 21:15
Picon

CFP: 1998 SNDSS (updated; last reminder!)

CALL FOR PAPERS

The Internet Society Symposium on Network and Distributed System Security

Where: Catamaran Resort, San Diego, California
When: March 11-13, 1998

GOAL: The symposium will foster information exchange between hardware and
software developers of network and distributed system security services.
The intended audience is those who are interested in the practical aspects
of network and distributed system security, focusing on actual system
design and implementation, rather than theory.  Encouraging and enabling
the Internet community to apply, deploy, and advance the state of available
security technology is the major focus of symposium.  Symposium proceedings
will be published by the Internet Society.  Topics for the symposium
include, but are not limited to, the following:

* Architectures for large-scale, heterogeneous distributed systems
* Security in malleable systems: mobile code, mobile agents, dynamic policy
  updates, etc.
* Special problems: e.g. interplay between security goals and other goals --
  efficiency, reliability, interoperability, resource sharing, and cost.
* Integrating security services with system and application security
  facilities and with application protocols, including message handling,
  file transport, remote file access,  directories, time synchronization,
  data base management, routing, voice and video multicast, network
  management, boot services, and mobile computing.
* Fundamental services:  authentication, integrity, confidentiality,
  authorization, non-repudiation, and availability.
* Supporting mechanisms and APIs: key management and certification
(Continue reading)

Permalink | Reply | 0 comments |
headers
Stephen Kent | 2 Jul 1997 22:56
Picon

Re: RE: Safe Key Generation

Bob,

	I think you are correct in stating that only NT has been C2
evaluated and that evaluation does not include the networking software,
which brings into question the utility of the evaluation in just about any
practical setting.

Steve
Permalink | Reply | 501 comments |
headers
Denis Pinkas | 4 Jul 1997 03:39
Picon

PKIX Part 1 : validity period

Since the next meeting is slowly coming, I took a look at the latest
specification draft-ietf-pkix-ipki-part1-04.txt from March 26 1996
(1997) and the text on validity (section 4.1.2.5 ) still looks like
that:         ^^

This field indicates the dates on which the certificate becomes valid
(notBefore) and on which the certificate ceases to be valid (notAfter). 
(...)

This text still needs to be ammended to reflect the discussion we had in
San Jose. 
I am expecting something along the following lines:

This field indicates the time period during which the CA warrants that
it will maintain information about the status of the certificate, i.e.
maintain revocation data. 

Other changes are needed as well.

When is the next version scheduled ?

Denis
--

-- 

      Denis Pinkas     Bull S.A.         E-mail : D.Pinkas <at> frcl.bull.fr
      Rue Jean Jaures  B.P. 68            Phone : 33 - 1 30 80 34 87
      78340 Les Clayes sous Bois. FRANCE   Fax  : 33 - 1 30 80 33 21
Permalink | Reply | 0 comments |
headers
Dwight Arthur | 3 Jul 1997 18:52
Picon

CRL Push over S/Mime

Part Two describes CRL distribution via LDAP and FTP, and also OCSP,
presumably over HTTP. There is no description of S/Mime as a protocol
for the distribution of CRL's.

If I understood some prior information published to this list by
Netscape, Communicator 4 is most effectively able to respond to CRL's
received via S/Mime, and can even handle the expiration time specified
for a CRL.

Is an enhancement to Part Two to describe CRL distribution over S/Mime
in the offing?

-Dwight
Attachment (vcard.vcf): text/x-vcard, 453 bytes
Permalink | Reply | 0 comments |

Gmane